Thursday, April 29, 2010

Using MakeCert to create a certificate with a trusted root for an IIS website

Why? If you dont use a certificate with a trusted root, then web browsers will complain that there is something wrong with the certificate. So what you need to do is to create both the Certificate Authority certificate (the root) and then create a derived certificate that you can use on your website. You then need to install the root certificate on all the clients that will access the website. Once that is done, when the clients access your site over SSL (https), they will get the lock icon and no error messages.

The most important use of this configuration is when you need to use username authentication with WCF using wsHttpBinding. (WCF will not allow you to use this configuration over an invalidly configured SSL connection). A separate post will detail how to enable username authentication using wsHttpBinding in WCF.

Note: this should only be used for development/testing. Never for production

1. Make a Certificate Authority certificate (root certificate) that is installed to “Trusted Root Certification Authorities”

makecert -r -pe -n "CN=Raj Local Certificate Root" -ss Root -sr localMachine -a sha1 -sky signature -sv c:\certs\RajRoot.pvk c:\certs\RajRoot.cer

2. Check that the cert was installed to “Trusted Root Certification Authorities”

To do this you need the Certificates admin tool. The easy way to do this is
Start > Run > MMC
File > Add-Remove Snap-In
Click Add
Select Certificates and click Add
Select Computer Account and hit Next
Select Local Computer

The CA certificate (created in step 1) is the one that you will have to put on all the clients that will access the SSL website. (otherwise you will end up getting an error that the certificate is not trusted).

3. Create a certificate using the CA cert. This is the one that you will install to your web server

makecert -pe -n "CN=fq.dn" -a sha1 -sky exchange -eku 1.3.6.1.5.5.7.3.1 -ic c:\certs\RajRoot.cer -iv c:\certs\RajRoot.pvk -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 -sv c:\certs\rajServer.pvk c:\certs\rajServer.cer 
pvk2pfx -pvk c:\certs\rajServer.pvk -spc c:\certs\rajServer.cer -pfx c:\certs\rajServer.pfx

In the certificates admin tool, right click > All Tasks > Import and import the pfx file that you created above.

4. Assign the certificate to your IIS website.

Right click on the website > Properties > Directory Security tab
Server Certificate
On the second page choose “Assign an existing certificate”
Select the certificate that you imported in the last step of (3).

5. Test

Try and browse to a valid page on your site. Next try and add the s to the http and try it again and make sure you are able to connect to the site.

Notes:

Using MakeCert
http://www.digitallycreated.net/Blog/38/using-makecert-to-create-certificates-for-development (a good post that details all the different options)

Creating X.509 Certificates using makecert.exe: http://blogs.microsoft.co.il/blogs/applisec/archive/2008/04/08/creating-x-509-certificates-using-makecert-exe.aspx